PMASA-2013-10

Summary

Description

phpMyAdmin has a number of mechanisms to avoid a clickjacking attack, however
these mechanisms either work only in modern browser versions, or can be
bypassed.

Severity

We consider this vulnerability serious.

Affected Versions

Versions 3.5.x and 4.0.x (prior to 4.0.5) are affected.

Solution

Upgrade to phpMyAdmin 4.0.5 or newer or apply the patches listed below. We
have no solution for 3.5.x, due to the proposed solution requiring JavaScript.
We don't want to introduce a dependency to JavaScript in the 3.5.x family.

References

Thanks to Emanuel Bronshtein for reporting this issue. For more details,
please refer to this report.